Data protection bill may be tabled in winter session

The committee led by retired Supreme Court Judge BN Srikrishna, which submitted its report along with a draft bill last week, has asserted that an individual owns his or her data.Surabhi Agarwal | ET Bureau | August 03, 2018, 07:15 IST

NEW DELHI: The government plans to table the draft personal data protection bill submitted by Justice BN Srikrishna committee in Parliament by December after holding consultations with different ministries, industry representatives and the public.

“The target is to take it to Parliament in the winter session,” a senior government official told ET on condition of anonymity. “The government is also likely to open it for consultation from the public which includes industry and experts.”

The committee led by retired Supreme Court Judge BN Srikrishna, which submitted its report along with a draft bill last week, has asserted that an individual owns his or her data.

It recommends a layered consent architecture and bringing in key principles of personal data processing, whereby companies should collect only the required data from an individual, state the purpose of its use explicitly, and store it only for as long as it is required.

As per the draft bill, citizens and internet users will have the final say on how and for what purpose personal data can be used, and they will also have the right to withdraw consent. There will also be the option of ‘right to be forgotten’, subject to certain conditions. However, some of the committee’s recommendations have raised concerns among companies.

These include the move to restrict cross-border flow of personal data, mandating storing “critical personal data” within the country, and criminal prosecution along with stiff penalties of up to 4% of the global turnover of a company against those violating data privacy rules.

The draft grants the government the discretion to identify what critical personal data is.

Venkatesh Krishnamoorthy, India country manager of The Software Alliance, or BSA, a trade group representing some of the world’s largest software makers including Microsoft and Apple, said that while the policy is a welcome step some of the provisions have caused concerns among its member companies.

“Our Prime Minister (Narendra) Modi has championed the cause of the digital world, but some clauses such as the ones on data localisation run counter to Modi's vision,” he told ET.

Krishnamoorthy said such clauses will prevent some BSA member companies, big and small, from offering their services in India, and increase cyber security risks since cross border flow of data can lead to better fraud analysis.

Two members of the Srikrishna committee — Rama Vedashree, CEO of Data Security Council of India, and Rishikesha Krishnan, director at IIM Indore — have also expressed dissent on some recommendations.

While both have expressed concern on data localisation, Vedashree said she disagreed with the categorisation of financial data and password as personal data in the draft bill. She also felt inclusion of “criminal offences” is draconian and sought an industry wide consultation before enacting the law.

Krishnan expressed reservations on the observations and recommendations regarding the Aadhaar Act, saying these were outside the scope of the committee’s work.

The passage of the bill may not be easy as draft law has overriding provisions over existing laws and more than 50 laws — particularly those dealing with Aadhaar, right to information and information technology — may have to be amended.